The New York Times published an eye-opening article last weekend, “They Paid Nearly a Half Million in Ransom. Where’s the Data?” about a recent ransomware attack on Lake City, Fla. The city’s insurer paid the ransom demand (43 Bitcoins or about $460,000), but Lake City is still reeling from the damage done.
Sure, the hackers provided the decryption key, but – get this – each terabyte of data takes 12 hours to decrypt, which means that it will take eight days for Lake City to recover all of its data. At this rate, full recovery for bigger organizations with more data could take weeks or even months. In today’s fast-paced world, who can afford this kind productivity loss? Especially as organizations increasingly leverage real-time data to make decisions, the potential loss of revenue could be significant.
What is the lesson here? Simple. Paying ransom does not guarantee a happy ending to the situation.
But that’s not all of the bad news. To add insult to injury, the article also mentions that thousands of pages of documents that had been painstakingly digitized will have to be manually scanned again. “It puts us years and years and years behind,” said Audrey Sikes, a city clerk of Lake City.
Ransomware on the rise and what to do about it
The problem of ransomware isn’t getting any better. In 2016, Kapersky estimated there was a ransomware attack every 40 seconds; CyberSecurity Ventures expects 2019 to average one every 14 seconds. Even worse, 77% of companies infected with ransomware were actually running up-to-date endpoint protection, according to research from Sophos, indicating that these kinds of preventative measures aren’t sufficient. And when you consider that 68% of businesses don’t have cyber insurance coverage, it’s certain that the harm caused by ransomware will grow.
Learn how hybrid cloud can improve Disaster Recovery in this free Webinar
The spread of malware is swift and silent, especially if it goes unnoticed for hours, days or weeks. No local SAN or NAS is safe. They are all vulnerable to the infection which can spread throughout the network, encrypting files volumes within minutes — affecting home drivers, department shares, virtual machines, and applications.
Why is it so difficult to recover data after a ransomware? Because it requires following a methodical process for:
- Identifying infected endpoints
- Taking endpoint devices off the network
- Wiping endpoint devices
- Identifying servers infected (data files, applications, key systems)
- Remediating and/or patching systems
- Recovering from the backup’s point in time (prior to malware)
- Remediating and/or patching after recovery
Many organizations are taking the necessary steps to strengthen risk prevention, by updating software for cyber security, investing in security training for personnel and making sure all software is up-to-date with the latest patches. However, risk prevention alone is not enough. Today’s enterprises need to know how to prepare for when (not if) their data is held hostage. Some measures to take into consideration include:
- Looking for tested backup and DR with an air gap (which could include snapshots technology) so that ransomware cannot encrypt them
- Understanding the pros/cons of local storage array recovery and determining whether a plan B is necessary
- Knowing the limitations of cloud providers, which don’t act like a traditional storage array, requiring organizations to deploy additional backup and disaster recovery (DR) software and hardware
- Understanding your RPOs (recovery point objectives) and RTOs (recovery time objectives)
Be realistic and do your homework by asking yourself whether your organization is really protected and how soon you must access to your data after a ransomware attack.
Ultimately, the goal is to not be blindsided by a ransomware attack in your organization. Malware threats don’t have happy endings. So, don’t count on ransomware insurance to get back in business fast. Decrypting your data in the aftermath of an attack could take far longer than you expect, crippling your organization’s ability to operate for weeks, even months.
No matter what way you look at it, you don’t want to be in the difficult position of Joseph Helfenberger, city manager of Lack City, Fla. “We were … faced with either re-creating the data from scratch or paying the ransom,” he said.
Want to learn how you can prevent loss of systems, data, and productivity as a result of ransomware, watch this on-demand webinar, “How Can You Recover Your Data Quickly After a Ransomware Attack?”